Dear Alexander,
The main intention is to setup a freeipa-server with a trust domain to a Windows 2019 AD server. So for all windows env we would like to use Windows 2019AD server and for all our Linux based server we would like to use FreeIPA-server.
From this point we have setup a basic Windows2019 AD domain with the following realm ad.srv.world
And the FreeIPA server has the following realm ipa.srv.world
The Windowd 2019 server also acts as the DNS server, where the freeipa-server has his own dns rules and forwarding rule enabled to zone ad.srv.world (windows 2019 DNS server).
From the ipa-server run the following command
ipa-server-install --realm=AD.SRV.WORLD --domain=ad.srv.domain --ssh-trust-dns --setup-dns –-forwarder=xxx.xxx.xxx.xxx
All seems working ok on the ipa-server. But when trying to add the freeipa server to a windows 2019 AD im getting the following error:
ipa trust-add --type=ad ad.srv.world --admin Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials
Already tried to change permission on the AD site, but group policy domain admin should be enough to setup a trused domain between these two.
kinit admin
Password for admin@IPA.SRV.WORLD:
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@IPA.SRV.WORLD
Valid starting Expires Service principal
11/13/2018 11:12:38 11/14/2018 11:12:36 krbtgt/IPA.SRV.WORLD@IPA.SRV.WORL
smbclient -L dlp.ipa.srv.world -k -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
lp_load_ex: changing to config backend registry
Initialising global parameters
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface eth0 ip=10.50.1.103 bcast=10.50.1.255 netmask=255.255.255.0
Client started (version 4.7.1).
Connecting to 10.50.1.103 at port 445
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
SPNEGO login failed: {Access Denied} A proc
ipa/default.conf
[global]
host = dlp.ipa.srv.world
basedn = dc=ipa,dc=srv,dc=world
realm = IPA.SRV.WORLD
domain = ipa.srv.world
xmlrpc_uri = https://dlp.ipa.srv.world/ipa/xml
ldap_uri = ldapi://%2fvar%2frun%2fslapd-IPA-SRV-WORLD.socket
enable_ra = True
ra_plugin = dogtag
dogtag_version = 10
mode = production
krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = IPA.SRV.WORLD
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
IPA.SRV.WORLD = {
kdc = dlp.ipa.srv.world:88
master_kdc = dlp.ipa.srv.world:88
admin_server = dlp.ipa.srv.world:749
default_domain = ipa.srv.world
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ipa.srv.world = IPA.SRV.WORLD
ipa.srv.world = IPA.SRV.WORLD
dlp.ipa.srv.world = IPA.SRV.WORLD
[dbmodules]
IPA.SRV.WORLD = {
db_library = ipadb.so
}
/var/log/http/*
rpc reply data:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ........ ........
[0020] 01 00 00 00 03 00 00 00 4B 00 00 00 4B 00 00 00 ........ K...K...
[0030] 05 00 13 00 0D 78 57 34 12 34 12 CD AB EF 00 01 .....xW4 .4......
[0040] 23 45 67 89 AB 00 00 02 00 00 00 13 00 0D 04 5D #Eg..... .......]
[0050] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 ........ ..+.H`..
[0060] 02 00 00 00 01 00 0B 02 00 00 00 01 00 07 02 00 ........ ........
[0070] C0 00 01 00 09 04 00 0A 32 01 67 00 00 00 00 00 ........ 2.g.....
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dee40
s4_tevent: Cancel immediate event 0x7f45cc3dee40 "tevent_req_trigger"
Mapped to DCERPC endpoint 49152
added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0
added interface eth0 ip= xx.xx.xx.xxx bcast= xx.xx.xx.255 netmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name dlp.ipa.srv.world<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
s4_tevent: Added timed event "composite_trigger": 0x7f45cc3c41f0
s4_tevent: Running timer event 0x7f45cc3c41f0 "composite_trigger"
s4_tevent: Ending timer event 0x7f45cc3c41f0 "composite_trigger"
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
GSSAPI credentials for admin@IPA.SRV.WORLD will expire in 86359 secs
GSS client Update(krb5)(1) Update failed: Unspecified GSS failure. Minor code may provide more information: Credential cache is empty
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dde50
s4_tevent: Cancel immediate event 0x7f45cc3dde50 "tevent_req_trigger"
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for host/DLP.IPA.SRV.WORLD failed (next[(null)]): NT_STATUS_LOGON_FAILURE
Failed to setup SPNEGO negTokenInit request: NT_STATUS_LOGON_FAILURE
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3dd540
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f45cc3dd540
Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for ncacn_ip_tcp: xx.xx.xx.xxx [49152,print,target_hostname=dlp.ipa.srv.world,abstract_syntax=12345778-1234-abcd-ef00-0123456789ab/0x00000000,localaddress=xx.xx.xx.xxx] NT_STATUS_LOGON_FAILURE
s4_tevent: Destroying timer event 0x7f45cc3b9670 "dcerpc_connect_timeout_handler"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f45cc3c5ef0
s4_tevent: Cancel immediate event 0x7f45cc3c5ef0 "tevent_req_trigger"
[Tue Nov 13 10:51:04.693630 2018] [:error] [pid 24146] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Tue Nov 13 10:51:04.693675 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Tue Nov 13 10:51:04.693689 2018] [:error] [pid 24146] result = command(*args, **options)
[Tue Nov 13 10:51:04.693700 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Tue Nov 13 10:51:04.693711 2018] [:error] [pid 24146] return self.__do_call(*args, **options)
[Tue Nov 13 10:51:04.693722 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Tue Nov 13 10:51:04.693733 2018] [:error] [pid 24146] ret = self.run(*args, **options)
[Tue Nov 13 10:51:04.693743 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Tue Nov 13 10:51:04.693754 2018] [:error] [pid 24146] return self.execute(*args, **options)
[Tue Nov 13 10:51:04.693765 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 726, in execute
[Tue Nov 13 10:51:04.693776 2018] [:error] [pid 24146] full_join = self.validate_options(*keys, **options)
[Tue Nov 13 10:51:04.693786 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/trust.py", line 829, in validate_options
[Tue Nov 13 10:51:04.693797 2018] [:error] [pid 24146] self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
[Tue Nov 13 10:51:04.693808 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1557, in __init__
[Tue Nov 13 10:51:04.693818 2018] [:error] [pid 24146] self.__populate_local_domain()
[Tue Nov 13 10:51:04.693829 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1570, in __populate_local_domain
[Tue Nov 13 10:51:04.693840 2018] [:error] [pid 24146] ld.retrieve(installutils.get_fqdn())
[Tue Nov 13 10:51:04.693850 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 960, in retrieve
[Tue Nov 13 10:51:04.693861 2018] [:error] [pid 24146] self.init_lsa_pipe(remote_host)
[Tue Nov 13 10:51:04.693900 2018] [:error] [pid 24146] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 879, in init_lsa_pipe
[Tue Nov 13 10:51:04.693922 2018] [:error] [pid 24146] % dict(host=remote_host))
[Tue Nov 13 10:51:04.693933 2018] [:error] [pid 24146] ACIError: Insufficient access: CIFS server dlp.ipa.srv.world denied your credentials
[Tue Nov 13 10:51:04.693944 2018] [:error] [pid 24146]
[Tue Nov 13 10:51:04.694550 2018] [:error] [pid 24146] ipa: INFO: [jsonserver_session] admin@IPA.SRV.WORLD: trust_add/1(u'ad.srv.world', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********', version=u'2.228'): ACIError
[Tue Nov 13 10:51:04.696944 2018] [:error] [pid 24146] ipa: DEBUG: Destroyed connection context.ldap2_139937313614032
/var/log/samba/*
10:51:04.514558, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug)
&global_blob: struct smbXsrv_session_globalB
version : SMBXSRV_VERSION_0 (0)
seqnum : 0x00000001 (1)
info : union smbXsrv_session_globalU(case 0)
info0 : *
info0: struct smbXsrv_session_global0
db_rec : *
session_global_id : 0x7990abe5 (2039524325)
session_wire_id : 0x000000007990abe5 (2039524325)
creation_time : Tue Nov 13 10:51:05 AM 2018 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_time : NTTIME(0)
auth_session_info_seqnum : 0x00000000 (0)
auth_session_info : NULL
connection_dialect : 0x0311 (785)
signing_flags : 0x00 (0)
0: SMBXSRV_SIGNING_REQUIRED
0: SMBXSRV_PROCESSED_SIGNED_PACKET
0: SMBXSRV_PROCESSED_UNSIGNED_PACKET
encryption_flags : 0x00 (0)
0: SMBXSRV_ENCRYPTION_REQUIRED
0: SMBXSRV_ENCRYPTION_DESIRED
0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET
0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET
num_channels : 0x00000001 (1)
channels: ARRAY(1)
channels: struct smbXsrv_channel_global0
server_id: struct server_id
pid : 0x00000000000068df (26847)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807)
local_address : 'ipv4:10.50.1.103:445'
remote_address : 'ipv4:10.50.1.103:56404'
remote_name : '10.50.1.103'
auth_session_info_seqnum : 0x00000000 (0)
connection : *
encryption_cipher : 0x0000 (0)
[2018/11/13 10:51:04.515148, 5, pid=26847, effective(0, 0), real(0, 0)]
018/11/13 10:51:04.515354, 1, pid=26847, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:419(ndr_print_debug)
&session_blob: struct smbXsrv_sessionB
version : SMBXSRV_VERSION_0 (0)
reserved : 0x00000000 (0)
info : union smbXsrv_sessionU(case 0)
info0 : *
info0: struct smbXsrv_session
table : *
db_rec : NULL
client : *
local_id : 0x7990abe5 (2039524325)
global : *
global: struct smbXsrv_session_global0
db_rec : NULL
session_global_id : 0x7990abe5 (2039524325)
session_wire_id : 0x000000007990abe5 (2039524325)
creation_time : Tue Nov 13 10:51:05 AM 2018 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_time : NTTIME(0)
auth_session_info_seqnum : 0x00000000 (0)
auth_session_info : NULL
connection_dialect : 0x0311 (785)
signing_flags : 0x00 (0)
0: SMBXSRV_SIGNING_REQUIRED
0: SMBXSRV_PROCESSED_SIGNED_PACKET
0: SMBXSRV_PROCESSED_UNSIGNED_PACKET
encryption_flags : 0x00 (0)
0: SMBXSRV_ENCRYPTION_REQUIRED
0: SMBXSRV_ENCRYPTION_DESIRED
0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET
0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET
num_channels : 0x00000001 (1)
channels: ARRAY(1)
channels: struct smbXsrv_channel_global0
server_id: struct server_id
pid : 0x00000000000068df (26847)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807)
local_address : 'ipv4:10.50.1.103:445'
remote_address : 'ipv4:10.50.1.103:56404'
remote_name : '10.50.1.103'
auth_session_info_seqnum : 0x00000000 (0)
connection : *
encryption_cipher : 0x0000 (0)
status : NT_STATUS_MORE_PROCESSING_REQUIRED
idle_time : Tue Nov 13 10:51:05 AM 2018 CET
nonce_high_random : 0x0000000000000000 (0)
nonce_high_max : 0x0000000000000000 (0)
nonce_high : 0x0000000000000000 (0)
nonce_low : 0x0000000000000000 (0)
compat : NULL
tcon_table : *
pending_auth : NULL
version : SMBXSRV_VERSION_0 (0)
reserved : 0x00000000 (0)
info : union smbXsrv_sessionU(case 0)
info0 : *
info0: struct smbXsrv_session
table : *
db_rec : NULL
client : *
local_id : 0x7990abe5 (2039524325)
global : *
global: struct smbXsrv_session_global0
db_rec : NULL
session_global_id : 0x7990abe5 (2039524325)
session_wire_id : 0x000000007990abe5 (2039524325)
creation_time : Tue Nov 13 10:51:05 AM 2018 CET
expiration_time : Thu Jan 1 01:00:00 AM 1970 CET
auth_time : NTTIME(0)
auth_session_info_seqnum : 0x00000000 (0)
auth_session_info : NULL
connection_dialect : 0x0311 (785)
signing_flags : 0x00 (0)
0: SMBXSRV_SIGNING_REQUIRED
0: SMBXSRV_PROCESSED_SIGNED_PACKET
0: SMBXSRV_PROCESSED_UNSIGNED_PACKET
encryption_flags : 0x00 (0)
0: SMBXSRV_ENCRYPTION_REQUIRED
0: SMBXSRV_ENCRYPTION_DESIRED
0: SMBXSRV_PROCESSED_ENCRYPTED_PACKET
0: SMBXSRV_PROCESSED_UNENCRYPTED_PACKET
num_channels : 0x00000001 (1)
channels: ARRAY(1)
channels: struct smbXsrv_channel_global0
server_id: struct server_id
pid : 0x00000000000068df (26847)
task_id : 0x00000000 (0)
vnn : 0xffffffff (4294967295)
unique_id : 0xbd2b8cdb3e78c171 (-4815600503268785807)
local_address : 'ipv4:10.50.1.103:445'
remote_address : 'ipv4:10.50.1.103:56404'
remote_name : '10.50.1.103'
auth_session_info_seqnum : 0x00000000 (0)
connection : *
encryption_cipher : 0x0000 (0)
status : NT_STATUS_MORE_PROCESSING_REQUIRED
idle_time : Tue Nov 13 10:51:05 AM 2018 CET
nonce_high_random : 0x0000000000000000 (0)
nonce_high_max : 0x0000000000000000 (0)
nonce_high : 0x0000000000000000 (0)
nonce_low : 0x0000000000000000 (0)
compat : NULL
tcon_table : *
pending_auth : *
pending_auth: struct smbXsrv_session_auth0
prev : *
next : NULL
session : *
connection : *
gensec : *
preauth : *
in_flags : 0x00 (0)
in_security_mode : 0x03 (3)
creation_time : Tue Nov 13 10:51:05 AM 2018 CET
idle_time : Tue Nov 13 10:51:05 AM 2018 CET
Successfully validated Kerberos PAC
pac_data: struct PAC_DATA
num_buffers : 0x00000005 (5)
version : 0x00000000 (0)
buffers: ARRAY(5)
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_INFO (1)
_ndr_size : 0x000001a8 (424)
info : *
info : union PAC_INFO(case 1)
logon_info: struct PAC_LOGON_INFO_CTR
info : *
info: struct PAC_LOGON_INFO
info3: struct netr_SamInfo3
base: struct netr_SamBaseInfo
logon_time : NTTIME(0)
logoff_time : Thu Jan 1 01:00:00 AM 1970 CET
kickoff_time : Thu Jan 1 01:00:00 AM 1970 CET
last_password_change : Fri Nov 2 04:41:05 PM 2018 CET
allow_password_change : NTTIME(0)
force_password_change : Thu Jan 1 01:00:00 AM 1970 CET
account_name: struct lsa_String
length : 0x000a (10)
size : 0x000a (10)
string : *
string : 'admin'
full_name: struct lsa_String
length : 0x001a (26)
size : 0x001a (26)
string : *
string : 'Administrator'
logon_script: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
profile_path: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
home_directory: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
home_drive: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : ''
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
rid : 0x000001f4 (500)
primary_gid : 0x00000200 (512)
groups: struct samr_RidWithAttributeArray
count : 0x00000000 (0)
rids : *
rids: ARRAY(0)
user_flags : 0x00000000 (0)
0: NETLOGON_GUEST
0: NETLOGON_NOENCRYPTION
0: NETLOGON_CACHED_ACCOUNT
0: NETLOGON_USED_LM_PASSWORD
0: NETLOGON_EXTRA_SIDS
0: NETLOGON_SUBAUTH_SESSION_KEY
0: NETLOGON_SERVER_TRUST_ACCOUNT
0: NETLOGON_NTLMV2_ENABLED
0: NETLOGON_RESOURCE_GROUPS
0: NETLOGON_PROFILE_PATH_RETURNED
0: NETLOGON_GRACE_LOGON
key: struct netr_UserSessionKey
key: ARRAY(16): <REDACTED SECRET VALUES>
logon_server: struct lsa_StringLarge
length : 0x0006 (6)
size : 0x0008 (8)
string : *
string : 'DLP'
logon_domain: struct lsa_StringLarge
buffers: struct PAC_BUFFER
type : PAC_TYPE_LOGON_NAME (10)
_ndr_size : 0x00000014 (20)
info : *
info : union PAC_INFO(case 10)
logon_name: struct PAC_LOGON_NAME
logon_time : Mon Nov 12 04:01:01 PM 2018 CET
size : 0x000a (10)
account_name : 'admin'
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_CONSTRAINED_DELEGATION (11)
_ndr_size : 0x000000d8 (216)
info : *
info : union PAC_INFO(case 11)
constrained_delegation: struct PAC_CONSTRAINED_DELEGATION_CTR
info : *
info: struct PAC_CONSTRAINED_DELEGATION
proxy_target: struct lsa_String
length : 0x0048 (72)
size : 0x0048 (72)
string : *
string : 'HTTP/dlp.ipa.srv.world@IPA.SRV.WORLD'
num_transited_services : 0x00000001 (1)
transited_services : *
transited_services: ARRAY(1)
transited_services: struct lsa_String
length : 0x0048 (72)
size : 0x0048 (72)
string : *
string : 'cifs/dlp.ipa.srv.world@IPA.SRV.WORLD'
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_SRV_CHECKSUM (6)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 6)
srv_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
[0000] 39 30 31 38 5E 6B 2C 47 9B 75 B8 50 9018^k,G .u.P
_pad : 0x00000000 (0)
buffers: struct PAC_BUFFER
type : PAC_TYPE_KDC_CHECKSUM (7)
_ndr_size : 0x00000010 (16)
info : *
info : union PAC_INFO(case 7)
kdc_cksum: struct PAC_SIGNATURE_DATA
type : 0x00000010 (16)
signature : DATA_BLOB length=12
im a bit stuck with this issue.
Kind regards